Snort 2.9.12.0 全安装流程最详细最新
简介
因为学校实验需要安装snort并检测攻击行为,又没有很好的博客进行参考安装配置,于是写了这篇博客用于记录
本环境下所有压缩安装包在链接: https://pan.baidu.com/s/15fUPTkCHYGJBJT3zur9Wjw 提取码: rrw2,链接长期有效
操作系统:ubuntu 18.04LTS
环境:在进行下一步的操作前,如果你的机器没有更换源请先按照第一步来配置,如果源更新过了,直接第二步,如果系统版本不一样,请自行搜索相应版本的源
一、更新源
- 提升到root权限:sudo su
- 编辑源文件:gedit /etc/apt/sources.list,以下是阿里云的源
deb http://mirrors.aliyun.com/ubuntu/ bionic main restricted universe multiverse
deb http://mirrors.aliyun.com/ubuntu/ bionic-security main restricted universe multiverse
deb http://mirrors.aliyun.com/ubuntu/ bionic-updates main restricted universe multiverse
deb http://mirrors.aliyun.com/ubuntu/ bionic-proposed main restricted universe multiverse
deb http://mirrors.aliyun.com/ubuntu/ bionic-backports main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ bionic main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ bionic-security main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ bionic-updates main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ bionic-proposed main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ bionic-backports main restricted universe multiverse
- apt-get update
- apt-get upgrade
二、安装snort所需要的依赖包
- 安装所需的头文件库
apt-get install gcc : 编译器,如果报错,apt-get install g++
apt-get install flex : DAQ所需的解析器
apt-get install bison : DAQ所需的解析器
apt-get install zlib1g-dev : Snort所需的压缩库
apt-get install libpcap-dev : Snort所需的网络流量捕获头文件库
apt-get install libdnet-dev : 不是必要的,只是snort为几个网络历程提供了简化的可移植接口
apt-get install luajit : lua的头文件库headers
apt-get install liblua5.1-0-dev
apt-get install liblua5.1-0-dev liblua50-dev liblualib50-dev
apt-get install build-essential : 提供编译软件的构建工具
apt-get install libpcre3-dev : Snort所需的pcre3的头文件
apt-get install libdumbnet-dev : 同libdnet
apt-get install openssl libssl-dev : ssl的加密组件,提供SHA和MD5文件签名
apt-cache search lua
- 源码安装libpcap
tar -zxvf libpcap-1.9.0.tar.gz
cd libpcap-1.9.0
./configure && make && make install
- 源码安装nghttp2
tar -zxvf nghttp2-1.35.1.tar.gz
cd nghttp2-1.35.1
./configure && make && make install
- 源码安装LuaJIT
tar -zxvf LuaJIT-2.0.5.tar.gz
make && make install (ps:无./configure)
- 源码安装pcre
tar -zxvf pcre-8.42.tar.gz
cd pcre-8.42.tar.gz
./configure && make && make install
- 源码安装daq
tar -zxvf daq-2.0.6.tar.gz
cd daq-2.0.6
./configure && make && make install
- 源码安装snort
tar -xvzf snort-2.9.12.tar.gz
cd snort-2.9.12
./configure --enable-sourcefire
make
make install
- 更新共享库
ldconfig
ln -s /usr/local/bin/snort /usr/sbin/snort
snort -V
- 成功安装,出现可爱的猪就代表安装成功了
Running in packet dump mode
--== Initializing Snort ==--
Initializing Output Plugins!
pcap DAQ configured to passive.
Acquiring network traffic from "ens33".
Decoding Ethernet
--== Initialization Complete ==--
,,_ -*> Snort! <*-
o" )~ Version 2.9.12 GRE (Build 325)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
Copyright (C) 2014-2018 Cisco and/or its affiliates. All rights reserved.
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
Using libpcap version 1.9.0-PRE-GIT (with TPACKET_V3)
Using PCRE version: 8.42 2018-03-20
Using ZLIB version: 1.2.11
- 但是还不够,我们需要配置我们的snort配置为NIDS才能去检测攻击行为
三、配置snort为NIDS
创建一些目标文件夹
- 创建snort用户组(ps:非必须)
sudo groupadd snort
sudo useradd snort -r -s /sbin/nologin -c SNORT_IDS -g snort
- 创建一些所必需的文件夹
# Snort的安装目录
sudo mkdir /etc/snort
sudo mkdir /etc/snort/rules
sudo mkdir /etc/snort/rules/iplists
sudo mkdir /etc/snort/preproc_rules
sudo mkdir /usr/local/lib/snort_dynamicrules
sudo mkdir /etc/snort/so_rules
# 存储过滤规则和服务器黑白名单
sudo touch /etc/snort/rules/iplists/default.blacklist
sudo touch /etc/snort/rules/iplists/default.whitelist
sudo touch /etc/snort/rules/local.rules
# 创建日志目录
sudo mkdir /var/log/snort
sudo mkdir /var/log/snort/archived_logs
# 调整权限
sudo chmod -R 5775 /etc/snort
sudo chmod -R 5775 /var/log/snort
sudo chmod -R 5775 /var/log/snort/archived_logs
sudo chmod -R 5775 /etc/snort/so_rules
sudo chmod -R 5775 /usr/local/lib/snort_dynamicrules
# 改变文件夹属主
sudo chown -R snort:snort /etc/snort
sudo chown -R snort:snort /var/log/snort
sudo chown -R snort:snort /usr/local/lib/snort_dynamicrules
classification.config : 描述了Snort理解的攻击分类类型(将规则分组为这些类型的分类),例如木马活动或系统调用检测。分类列表可以在Snort手册的第3.4.6节中找到
file_magic.conf : 描述了用于标识文件类型的规则
reference.config : 包含提供有关警报的更多信息的规则中引用的URL
snort.conf : 是Snort的配置文件,它告诉Snort资源的位置,以及如何输出警报等
threshold.conf : 允许您控制生成警报所需的事件数,这有助于抑制噪声警报
gen-msg.map : 告诉Snort哪个规则使用哪个预处理器,更多信息在这里。
unicode.map : 提供Unicode语言和标识符之间的映,nSnort需要此文件才能启动。
- 复制文件到我们的/etc/snort,这里的路径一定要确保是你的snort的解压路径
cp ~/snort-2.9.12/etc/*.conf* /etc/snort
cp ~/snort-2.9.12/etc/*.map /etc/snort
cp ~/snort-2.9.12/etc/*.dtd /etc/snort
cp ~/snort-2.9.12/src/dynamic-preprocessors/build/usr/local/lib/snort_dynamicpreprocessor/* /usr/local/lib/snort_dynamicpreprocessor/
- 修改默认配置
编辑snort.conf (ps:现在你的snort.conf在/etc/snort/下)
gedit /etc/snort/snort.conf
1. 修改一些文件的路径,你可以搜索RULE_PATH,然后将下面几个路径改为如下
var RULE_PATH /etc/snort/rules
var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules
# If you are using reputation preprocessor set these
var WHITE_LIST_PATH /etc/snort/rules/iplists/
var BLACK_LIST_PATH /etc/snort/rules/iplists/
2. 打开文件过滤规则包含,去掉开头的#号
include $RULE_PATH/local.rules
3. 修改配置文件让黑白名单生效
whitelist $WHITE_LIST_PATH/default.whitelist, \
blacklist $BLACK_LIST_PATH/default.blacklist
- 安装我们的rules包
tar zxvf snortrules-snapshot-29120.tar.gz -C /etc/snort
cp /etc/snort/so_rules/precompiled/RHEL-6-0/x86-64/2.9.12.0/* /usr/local/lib/snort_dynamicrules/
- 启动测试,请无视WARNING警告,不用担心,这不会影响我们的安装
sudo snort -T -c /etc/snort/snort.conf
......
Snort successfully validated the configuration!
Snort exiting
四、检测NAMP扫描
- 编写规则 gedit /etc/snort/rules/local.rules,在下面的IP部分加入你安装snort的机器IP
- 简单介绍一下下面的规则编写方式:
alert(keyword) tcp(protocol) ip port -> ip port (msg:""; dsize:0; sid:10000004;rev:1;)
keyword:
alert 报警
pass 忽视
log 记录
等等
protocol:包协议(TCP、UDP、ICMP、、、、、、)
IP PORT:源IP,源PORT
-> IP PORT:目的IP,目标PORT
():括号里面是规则体,有一些规则用于细分我们捕捉到的包,下面是一些官方文档中常用的选项
格式:每一种都有不同的用法
msg:""; 告诉引擎和日志系统包到来时打印的信息
reference:, ; [reference:, ;]; 用这个关键字来引用外部的攻击识别系统
gid:; 用来标识特定规则时,snort的哪部分收到了检测
sid:; 用来识别不同的规则
rev:; 用来识别Snort规则的修订版
classtype:; 用来作规则分类
priority:; 用来标识规则的优先等级
metadata:key1 value1; 用键值对的形式去嵌套我们的规则
metadata:key1 value1, key2 value2;
- 这里我们把NAMP的检测规则写完
NMAP Ping扫描检测:
alert icmp any any -> IP any (msg: "Nmap ICMP Scan"; dsize:0;sid:10000004; rev: 1; )
NMAP TCP扫描检测:
alert tcp any any -> IP 22 (msg: "Nmap TCP Scan";sid:10000005; rev:2; )
NMAP XMAS扫描检测:加入了FIN、PUSH、URG标志位检测
alert tcp any any -> IP 22 (msg:"Nmap XMAS Tree Scan"; flags:FPU; sid:1000006; rev:1; )
NMAP FIN扫描检测:仅改变FIN标志位来扫描
alert tcp any any -> IP 22 (msg:"Nmap FIN Scan"; flags:F; sid:1000008; rev:1;)
NMAP空值扫描检测:仅改变NONE标志位来扫描
alert tcp any any -> IP 22 (msg:"Nmap NULL Scan"; flags:0; sid:1000009; rev:1; )
NMAP UDP扫描检测:
alert udp any any -> IP any ( msg:"Nmap UDP Scan"; sid:1000010; rev:1; )
12/31-09:02:29.049696 [**] [1:10000004:1] NMAP ping sweep Scan [**] [Priority: 0] {ICMP} XX.XX.XX.XX -> YY.YY.YY.YY
12/31-09:02:29.049735 [**] [1:10000004:1] NMAP ping sweep Scan [**] [Priority: 0] {ICMP} YY.YY.YY.YY -> XX.XX.XX.XX
12/31-09:03:37.246974 [**] [1:10000004:1] Nmap TCP Scan [**] [Priority: 0] {TCP} XX.XX.XX.XX -> YY.YY.YY.YY
12/31-09:03:37.247003 [**] [1:10000004:1] Nmap TCP Scan [**] [Priority: 0] {TCP} YY.YY.YY.YY -> XX.XX.XX.XX
- 然后我们用snort来识别HTTP FLOOD行为
alert tcp any any -> IP 80 (msg:"GET Request flood attempt"; \
flow:to_server,established; content:"GET"; nocase; http_method; \
detection_filter:track by_src, count 30, seconds 30; metadata: service http;)